hivemq-edge icon indicating copy to clipboard operation
hivemq-edge copied to clipboard

Published 20 hours ago verified publisher icon hivemq

Old JWT Tokens being presented to the API

Open vanch3d opened this issue 1 year ago • 7 comments

Over a number of weeks I have seen behaviour (seemingly after a CRUD event) where the browser suddenly logs out. There seems to be no obvious reason for this, as the JWT is only a few minutes old.

Today I captured the event in logs where a previously issued JWE was presented to the API and rejected (causing the logout event).

Please see the log attached where a JWT is issues at the start of the session, then on a subsequent operation a previous token is presented.

2023-08-18 16:54:37,739 [pool-29-thread-1] JwtAuthenticationProvider ERROR- jwt validation failed, reason JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"kid":"00001","alg":"RS256"}->eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJZSkgxaGJ4aFJvZ1VDOHpMZjJfeWdnIiwiaWF0IjoxNjkyMzczODk2LCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTY5NiwibmJmIjoxNjkyMzczNzc2LCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.CPwswyJtkeHvOYWTK9Y6DTcEAA-2QeMKfWB-c80bAZbKmLacDjlcekHJM7L66HI1qG4MH3urWljQa4G0zbNztGoMu9NVp6EIAc_UW4YNSx-ovaFTAZLPyfFYvWtSlDjN84A5CZ2FVeKBTiBaO7QsvQ47_ak5dl4CtLZ_yD2HG01GzvkN9Lhk6046P8cT_SO_Bmsij4F7R1RsZAxa1mBTHAS8eKvexwAMzwWsXsvxha5imHsd14aIX8Poe321R_gZkQnooTRduisYsVxyMVaJZu3GSAfYF2xzxZ9UkwzUM4TTn2JiexVPIDm02m4xqgGu3rxe_4Sosz82Hy--MzY_lA]


2023-08-18 16:54:41,707 [pool-29-thread-2] JwtAuthenticationProvider INFO- Generated JWE 'eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiIwZmdDX3gzcHJrdHVwbWRLTHhMVUpnIiwiaWF0IjoxNjkyMzc0MDgxLCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTg4MSwibmJmIjoxNjkyMzczOTYxLCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.AtdhBfZiLJxiFmZMtFjmQmUhwMaG31ZklIIOdNrrh94C3w4Pr7v-Rn-k0D7VdlkF-LyamZUUAGIr4JG8Xse9NovKX8vBwvSodTOKv-9JBF5PB4Q3Tj_1GHGSTKXwzz6X2W339y18r0kwQp_hBt_Tl9mSHA4reIoAUJuB4SXfYZvHCoIcbnMqVgdZKt2i_xeCWsjvuB8vlsJ7Dm8EIdDrgJLHIVQhIb4Sv4cx0Lk_umiPAa3Kj7Ufyfg2n7G8zbF_VNnoPQdqmdJd1hpn3AYbnx5HwaplFtv5qafCHC572214UwOKqPx8mSrkvSeBtg08qPmolryavsgGjh5E48G2_w' for principal ApiPrincipal{name='admin', roles=[admin]}

2023-08-18 16:54:50,796 [pool-29-thread-1] JwtAuthenticationProvider ERROR- jwt validation failed, reason JWT rejected due to invalid signature. Additional details: [[9] Invalid JWS Signature: JsonWebSignature{"kid":"00001","alg":"RS256"}->eyJraWQiOiIwMDAwMSIsImFsZyI6IlJTMjU2In0.eyJqdGkiOiJZSkgxaGJ4aFJvZ1VDOHpMZjJfeWdnIiwiaWF0IjoxNjkyMzczODk2LCJhdWQiOiJIaXZlTVEtRWRnZS1BcGkiLCJpc3MiOiJIaXZlTVEtRWRnZSIsImV4cCI6MTY5MjM3NTY5NiwibmJmIjoxNjkyMzczNzc2LCJzdWIiOiJhZG1pbiIsInJvbGVzIjpbImFkbWluIl19.CPwswyJtkeHvOYWTK9Y6DTcEAA-2QeMKfWB-c80bAZbKmLacDjlcekHJM7L66HI1qG4MH3urWljQa4G0zbNztGoMu9NVp6EIAc_UW4YNSx-ovaFTAZLPyfFYvWtSlDjN84A5CZ2FVeKBTiBaO7QsvQ47_ak5dl4CtLZ_yD2HG01GzvkN9Lhk6046P8cT_SO_Bmsij4F7R1RsZAxa1mBTHAS8eKvexwAMzwWsXsvxha5imHsd14aIX8Poe321R_gZkQnooTRduisYsVxyMVaJZu3GSAfYF2xzxZ9UkwzUM4TTn2JiexVPIDm02m4xqgGu3rxe_4Sosz82Hy--MzY_lA]

vanch3d avatar Sep 08 '23 13:09 vanch3d